Privacy Policy

The Law Offices of Owen Hathaway, LLC (OHLaw) takes privacy very seriously. We share a commitment with our clients, who include consumers, business owners, nonprofit organizations, professionals, and several different types of health care organizations subject to HIPAA Rules and Regulations, to protect the privacy and confidentiality of personally identifiable information (PII) that we obtain.

This Policy is provided to help you better understand how we at OHLaw, use, disclose, and protect PII in accordance with the terms of Business Associate Agreements.

At all times, our treatment of PII remains subject to the strictest confidentiality as required under Rule 1.6 of the Colorado Rules of Professional Conduct. We will never disclose personally identifiable information in violation of that rule.

Definitions

Business Associate Agreement (BA Agreement). A Business Associate Agreement is a formal written contract between OHLaw and a HIPAA Covered Entity or Business Associate that requires OHLaw to comply with specific requirements related to protected health information (PHI).

Covered Entity. A Covered Entity is a health plan, health care provider, or healthcare clearinghouse that must comply with the HIPAA Privacy Rule.

Personally Identifiable Information (PII). PII includes all information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Protected Health Information (PHI). PHI includes all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in (a) the course of providing a health care service such as diagnosis or treatment, or (b) in relation to the payment for the provision of health care services.

Use and Disclosure of PII

We will only use PII we collect in the following ways:

to deliver the services our clients have engaged us to provide

to communicate with our clients and prospective clients about the services we provide

to secure payment for our services

to third-parties with the permission of the information owner

Use and Disclosure of PHI

We may use PHI for our management, administration, data aggregation and legal obligations to the extent such use of PHI is permitted or required by a BA Agreement and not prohibited by law. We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of fulfilling our service obligations to Covered Entities, if such use or disclosure of PHI is permitted or required by the BA Agreement and would not violate the Privacy Rule.

In the event that PHI must be disclosed to a subcontractor or agent, we will ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BA Agreement with respect to PHI, including the implementation of reasonable and appropriate safeguards.

We may also use PHI to report violations of law to appropriate federal and state authorities.

Safeguards

We use appropriate safeguards to prevent the use or disclosure of PII including those provided for in the various BA Agreements. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PII that we create, receive, maintain, or. Such safeguards include:

Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PII we hold is available when needed.

Mitigation of Harm

In the event of a use or disclosure of PII that is in violation of this policy, the requirements of a BA agreement, or other law, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:

Reporting any inappropriate use or disclosure of PII and any security incident of which we become aware to the appropriate people or entities; and

To the extent permitted by the Colorado Rules of Professional Conduct, documenting such disclosures of PII and information related to such disclosures to enable our clients to respond to a request for an accounting of disclosure of PII.

Access to PHI

Where necessary, we will make available to our clients information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.

Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BA Agreement and HIPAA regulations.

Office Hours:
M-F 9am to 5pm
We work closely with our clients, frequently at their place of business. We try to keep office availability consistent, but please schedule an appointment to make sure someone is in the office.

DISCLAIMER: The Law Offices of Owen Hathaway, LLC is a law firm and does offer legal advice. None of the information provided on this website, however, is intended to be legal advice. Neither does using this website mean that the Law Offices of Owen Hathaway, LLC has become your attorney. In fact, using this website means you have agreed to all of the Terms of Use and other Policies published here. For high-quality, personalized legal advice and to hire the Law Offices of Owen Hathaway, LLC to become your attorney, contact us or order a service and we may be able to come to an agreement.